Share via


Automating Desired Configuration Management

Applies To: Forefront Endpoint Protection

You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to automate management of FEP desired configuration management (DCM) baselines.

Configuration baselines define best practices and thresholds for configuration settings. You assign baselines to collections of computers. After the computers receive the baseline, they evaluate their configuration against the baseline, and report their status to the Configuration Manager server.

The following sections demonstrate how you can assign or unassign FEP baselines to a collection. The scripts define switches to specify the Configuration Manager information needed and then use that information to assign the designated baseline to a collection.

Prerequisites

In order to create a script similar to the example in this topic, you must have the following prerequisite software:

  • Windows PowerShell (either version 1.0 or 2.0)

The following example script demonstrates how to assign a FEP DCM baseline to a target collection.

function AssignDCMBaseline(

    $ConfigMgrServer,                   # ConfigMgr WMI site provider to connect to. e.g. MyServer
    $SiteCode,                     # ConfigMgr site code. e.g. ABC
    $BaselineName,                 # DCM Baseline localized name. e.g. “FEP - Standard Desktop”
    $TargetCollectionID,           # Collection ID to assign the baseline to. e.g. ABC00008
    [switch]$IncludeSubCollection) # Switch to include subcollection, default is false (not include) 

{
    $ConfigMgrNamespace = "root\sms\site_$SiteCode"
    $now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***"
    $ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)

    # Get the DCM baseline to assign
    $CIBaseline = Get-WmiObject -Class "SMS_ConfigurationBaselineInfo" -filter "LocalizedDisplayName='$BaselineName'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer

    # Note: it is possible to verify CI exists here (i.e. not $null and only one with name)
    # Create new SMS Baseline Assignment instance
    $newAssignment = ([WmiClass]($ConfigMgrProviderPath + ":SMS_BaselineAssignment")).CreateInstance() 

    $newAssignment.AssignedCIs = @($CIBaseline.CI_ID)
    $newAssignment.TargetCollectionID = $TargetCollectionID 
    $newAssignment.ApplyToSubTargets = $IncludeSubCollection 
    $newAssignment.AssignmentAction = 2 # APPLY    
    $newAssignment.AssignmentName = "Assign $BaselineName to $TargetCollectionID"
    $newAssignment.AssignmentDescription = ""
    $newAssignment.DesiredConfigType = 1 # REQUIRED 
    $newAssignment.DPLocality = 4 # DP_DOWNLOAD_FROM_LOCAL 
    $newAssignment.NotifyUser = $false 
    $newAssignment.SendDetailedNonComplianceStatus = $true 
    $newAssignment.StartTime = $now 
    $newAssignment.SuppressReboot = 0 
    $newAssignment.UseGMTTimes = $false 

    # Create recurrent daily evaluation schedule
    $AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath + ":SMS_ST_RecurInterval")).CreateInstance()  
    $AssignedSchedule.StartTime = $now
    $AssignedSchedule.DaySpan = 1

    $ScheduleAsString = ([WmiClass]($ConfigMgrProviderPath + ":SMS_ScheduleMethods")).WriteToString($AssignedSchedule)
        
    $newAssignment.EvaluationSchedule = $ScheduleAsString.StringData 
    $newAssignment.Put()

    Write-Output "Created assignment of DCM baseline $BaselineName to collection $TargetCollectionID"
}

The following example script demonstrates how to remove a FEP DCM baseline from a target collection.

function RemoveDCMAssignment(

    $ConfigMgrServer,         # ConfigMgr WMI site provider to connect to. e.g. MyServer
    $SiteCode,           # ConfigMgr site code. e.g. ABC
    $BaselineName,       # DCM Baseline localized name. e.g. “FEP - Standard Desktop”
    $TargetCollectionID) # Collection ID to remove the baseline assignment from. e.g. ABC00008
{
    $ConfigMgrNamespace = "root\sms\site_$SiteCode"
    # Get the DCM baseline to remove assignment from
    $CIBaseline = Get-WmiObject -Class "SMS_ConfigurationBaselineInfo" -filter "LocalizedDisplayName='$BaselineName'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
    $filter = "AssignedCIs = '{0}' AND TargetCollectionID='{1}'" -f $CIBaseline.CI_ID, $TargetCollectionID
    # Get the existing assignments
    $assignments = Get-WmiObject -class "SMS_BaselineAssignment" -filter $filter -namespace $ConfigMgrNamespace -computername $ConfigMgrServer

    if ($assignments -eq $null)
    {
        Write-Output "There are no DCM baseline $BaselineName assignments to $TargetCollectionID."                
    }
    else
    {
        Write-Output "Removing DCM baseline $BaselineName from collection $TargetCollectionID."                
        $assignments | Remove-WMIObject
    }
}

The following example script demonstrates how to retrieve a Configuration Manager WMI results object that contains compliance results for a DCM baseline assignment.

The results object contains a count of compliant computers, a count of noncompliant computers, a count of evaluation failures, and other information relevant to DCM. For more information about the SMS_CI_ComplianceSummary WMI class see SMS_CI_ComplianceSummary Server WMI Class (https://go.microsoft.com/fwlink/?LinkId=208530) in the Configuration Manager reference documentation on MSDN.

function GetBaselineResult(
        
    $ConfigMgrServer,   # ConfigMgr WMI site provider to connect to. e.g. MyServer
    $SiteCode,     # ConfigMgr site code. e.g. ABC
    $BaselineName) # DCM Baseline localized name. e.g. “FEP - Standard Desktop”
    
{        
    $ConfigMgrNamespace = "root\sms\site_$SiteCode"
    # Get the DCM baseline to query
    $CIBaseline = Get-WmiObject -Class "SMS_ConfigurationBaselineInfo" -filter "LocalizedDisplayName='$BaselineName'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
    $result = Get-WmiObject -Class "SMS_CI_ComplianceSummary" -filter ("CI_ID='{0}'" -f $CIBaseline.CI_ID) -namespace $ConfigMgrNamespace -computername $ConfigMgrServer

    return $result
}